3. Three Basic Identification Methods of password
•Password
•PIN
•Keys
•Passport
•Smart Card
•Face
•Fingerprint
•Iris
Possession
(“something I have”)
Biometrics
(“something I am”)
Knowledge
(“something I know”)
4. Password
• It is basically an encryption algorithms.
• Usually it is 8-15 character or slightly more
than that.
• Mostly textual passwords nowadays, are
kept very simple say a word from the
dictionary or their pet names, friends etc.
5. • Ten years back Klein performed such
tests and he could crack 10-15 passwords
per day. Now with the technology change,
fast processors and many tools on the
Internet this has become a Child's Play.
6. passphrase
• It’s nothing but the enhance version of
password.
• Usually it is a combination of words or
simply collection of password in proper
sequence is passphrase.
• It contains any well known thought also.
7. • Length of passphrase is about 30-50
character or more than that also.
• But it has also some limitations because
30-50 character is creates ambiguity to
remember if there is no any proper
sequence.
8. Biometrics
• Refer to a broad range of technologies
• Automate the identification or verification of an
individual
• Based on human characteristics or body organs
– Physiological: Face, fingerprint, iris
– Behavioral: Hand-written signature, voice
Characteristics
011001010010101…
011010100100110…
001100010010010...
Templates
9. • But biometrics has also some drawbacks.
• Suppose you select your fingerprint as a
biometrics..
• But what to do when you have crack or
wound in your finger.
• In this situation you might be in trouble.
• And now a days some hackers even
implement exact copy of your biometrics
also….
10. • After seeing all the different security
scheme now it is time to do something
advance in this security system.
• Here, the 3d password come into the
picture.
11. 3-D password
• The 3D passwords which are more
customisable, and very interesting way of
authentication.
• The 3-D password is a multifactor
authentication scheme. To be
authenticated, we present a 3-D virtual
environment where the
user navigates and interacts with various
objects. The sequence
of actions and interactions toward the
objects inside the 3-D environment
constructs the user’s 3-D password.
12. • The 3-D password
can combine most existing
authentication schemes such as textual
passwords, graphical passwords, and
various types of biometrics
into a 3-D virtual environment.
The design of the 3-D virtual
environment and the type of objects
selected determine the 3-D
password key space.
13. • This is achieved through interacting only
with the objects that acquire information
that the user is comfortable in providing
and ignoring the objects that request
information that the user prefers not to
provide.
For example, if an item requests an iris
scan and the user is not comfortable in
providing such information, the user
simply avoids interacting with that item.
14. Moreover, giving the user the freedom of
choice as to what type of authentication
schemes will be part of their 3-D password
and given the large number of objects and
items in the environment, the number of
possible 3-D passwords will increase.
Thus, it becomes much more difficult for
the attacker to guess the user’s 3-D
password.
15. • For example, the user can enter the virtual
environment
and type something on a computer that exists in
(x1, y1, z1)position, then enter a room that has a
fingerprint recognition device that exists in a
position (x2, y2, z2) and provide his/her
fingerprint. Then, the user can go to the virtual
garage, open the car door, and turn on the radio
to a specific channel. The combination and the
sequence of the previous actions toward
the specific objects construct the user’s 3-D
password.
16. • Virtual objects can be any object that we
encounter in real life. Any obvious actions
and interactions toward the real-life
objects can be done in the virtual 3-D
environment toward the
virtual objects. Moreover, any user input
(such as speaking in a specific location) in
the virtual 3-D environment can be
considered as a part of the 3-D password.
We can have the
following objects:
17. • 1) a computer with which the user can
type;
2) a fingerprint reader that requires the
user’s fingerprint;
3) a biometrical recognition device;
4) a paper or a white board that a user can
write, sign, or draw on;
5) an automated teller machine (ATM) that
requests a token;
18. 6) a light that can be switched on/off;
7) a television or radio where channels can
be selected;
8) a staple that can be punched;
9) a car that can be driven;
10) a book that can be moved from one
place to another;
11) any graphical password scheme;
12) any real-life object;
13) any upcoming authentication scheme.
19. Snapshot of a proof-of-concept virtual
art gallery, which contains 36
pictures and six computers.
20.
21. • Designing a well-studied 3-D virtual
environment affects the usability,
effectiveness, and acceptability of a 3-D
password system. Therefore, the first step
in building a 3-D password system is to
design a 3-D environment that reflects the
administration needs and the security
requirements. The design of 3-D
virtual environments should follow these
guidelines.
22. • 1) Real-life similarity: The prospective 3-D
virtual environment should reflect what
people are used to seeing inreal life. Objects
used in virtual environments should be
relatively similar in size to real objects (sized
to scale).
23. • Possible actions and interactions toward
virtual objects should reflect real-life
situations. Object responses should be
realistic. The target should have a 3-D
virtual environment that users can interact
with, by using common sense.
24. • 2) Object uniqueness and distinction: Every virtual
object or item in the 3-D virtual environment is different
from any other virtual object.
• The uniqueness comes from the fact that every virtual
object has its own attributes
such as position.
Thus, the prospective interaction with
object 1 is not equal to the interaction with object 2.
However, having similar objects such as 20 computers
in one place might confuse the user. Therefore, the
design of the 3-D virtual environment should consider
that every object should be distinguishable from other
objects.
25. A simple real-life example is home numbering.
Assume that there are 20 or more homes that
look like each other and the homes are not
numbered. It would be difficult to distinguish
which house was visited a month ago.
Similarly,
in designing a 3-D virtual environment, it should
be easy for users to navigate through and to
distinguish between objects. The distinguishing
factor increases the user’s recognition of
objects. Therefore, it improves the system
usability.
26. • 3) Three-dimensional virtual environment
size:
• A 3-D virtual environment can depict a city
or even the world. On the other hand, it
can depict a space as focused as a single
room or office. The size of a 3-D
environment should be carefully studied. A
large 3-D virtual environment
27. will increase the time required by the user
to perform a 3-D password.
Moreover, a large 3-D virtual environment
can contain a large number of virtual
objects.
Therefore, the probable 3-D password
space broadens.
However, a small 3-D virtual environment
usually contains only a few objects, and
thus, performing a 3-D password will take
less time.
28. • 4) Number of objects (items) and their types:
Part of designing a 3-D virtual environment is
determining the types of objects and how many
objects should be placed in the environment.
The types of objects reflect what kind of
responses the object will have.
For simplicity, we can consider requesting a
textual password or a fingerprint as an object
response type. Selecting the right object
response types and the number of objects
affects the probable password space of a 3-D
password.
29. • 5) System importance:
The 3-D virtual environment should
consider what systems will be protected by
a 3-D password.
The number of objects and the types of
objects that have been used in the 3-D
virtual environment should reflect the
importance of the protected
system.
30. • Possible critical applications include the
following.
1) Critical servers: Many large
organizations have critical servers that are
usually protected by a textual password.
A 3-D password authentication proposes a
sound replacement for a textual password.
Moreover, entrances to such locations are
usually protected by access cards and
sometimes PIN numbers.
31. Therefore, a 3-D password can be used to
protect the entrance to such locations and
protect the usage of such servers.
32. • 2) Nuclear and military facilities: Such
facilities should be protected by the most
powerful authentication systems.
The 3-D password has a very large
probable password space, and since it can
contain token-, biometrics-,recognition-,
and knowledge-based authentications in a
single authentication system, it is a sound
choice for high level security locations.
33. • 3) Airplanes and jetfighters: Because of
the possible threat of misusing airplanes
and jetfighters for religious-political
agendas, usage of such airplanes should
be protected by a powerful authentication
system.
34. • The 3-D password is recommended for
these systems.
• In addition, 3-D passwords can be used in
less critical systems because the 3-D
virtual environment can be designed to fit
any system’s needs.
35. A small 3-D virtual environment can be
used in many systems, including the
following:
1) ATMs;
2) personal digital assistants;
3) desktop computers and laptop logins;
4) web authentication.
Notes de l'éditeur
Be it purchasing goods, boarding an airplane, crossing a border, or performing a financial transaction, reliable authorization and authentication have become necessary for many daily interactions. Essentially, these activities rely upon ensuring the identities and authenticity of the people involved. Traditionally, authentication is based upon possession-based and knowledge-based identification. What you have Examples: User IDs, Accounts, Cards, Badges, Keys Shortcomings: Can be shared May be duplicated May be lost or stolen What you know Examples: Password, PIN Shortcomings: Many passwords are easily guessed Can be shared Can be forgotten Today, daily interactions are becoming increasingly automated, interfacing people with computers. Until recently, the primary authentication components of human computer interaction consisted of passwords and personal identification numbers. However, new authentication technologies are emerging that are capable of providing higher degrees of certainty for identifying an individual. One of these technologies is biometrics. Biometrics Examples: Fingerprint, voiceprint, face, iris Not possible to share Repudiation unlikely Difficult to forge Cannot be lost or stolen Source: Bolle, R.M. et al. (2004) Guide to Biometrics , New York: Springer-Verlag: 1-5
Biometrics refers to a broad range of technologies, systems, and applications that automate the identification or verification of an individual based on his or her physiological or behavioral characteristics. Source: Bolle, R.M. et al. (2004) Guide to Biometrics , New York: Springer-Verlag: 1-5 Physiological biometrics are based on direct measurements of a part of the human body at a point in time. The most common physiological biometrics involve fingerprints, face, hand geometry, and iris. Less common physiological biometrics involve DNA, ear shape, odor, retina, skin reflectance and thermogram. Source: Bolle, R.M. et al. (2004) Guide to Biometrics , New York: Springer-Verlag: 1-5 Behavioural biometrics are based on measurements and data derived from the method by which a person carries out an action over an extended period of time. The most common behavioural biometrics involve hand-written signature and voice. Less common behavioural biometrics involve gait, keystroke pattern, and lip motion. Source: Bolle, R.M. et al. (2004) Guide to Biometrics , New York: Springer-Verlag: 1-5 According to Turk and Pentland, in their seminal paper, “Eigenfaces for Recognition”, which was published in 1991, “In the language of information theory, we want to extract the relevant information in a face image, encode it as efficiently as possible, and compare one face encoding with a database of models encoded similarly.” Many rationales for deploying biometrics center on improved certainty in determining an individual’s identity and perceived cost savings from the reduced risk of financial losses for the individual or institution deploying the biometric. Source: Nanavati, S. et al. (2002) Biometrics: Identity Verification in a Networked World , New York: John Wiley & Sons, Inc: 1-5